[PATCH] Reduce SELinux check on KDSKBENT/SENT ioctls

From: Stephen Smalley
Date: Fri Dec 19 2003 - 10:14:15 EST

Next message: Maciej W. Rozycki: "Re: Catching NForce2 lockup with NMI watchdog"
Previous message: Martin J. Bligh: "Re: [PATCH] improve rwsem scalability (was Re: [CFT][RFC] HT scheduler)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch against 2.6.0 reduces the full capability check in the
SELinux module for the KDSKBENT/SENT ioctls to only check the
corresponding SELinux permission, avoiding a change to the Linux
permissions model for these operations. Please apply, or let me know if
you'd like this resubmitted later. Thanks.

security/selinux/hooks.c | 3 +--
1 files changed, 1 insertion(+), 2 deletions(-)

Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.75
diff -u -r1.75 hooks.c
--- linux-2.6/security/selinux/hooks.c 9 Oct 2003 13:03:45 -0000 1.75
+++ linux-2.6/security/selinux/hooks.c 21 Oct 2003 13:08:53 -0000
@@ -1992,8 +1992,7 @@

case KDSKBENT:
case KDSKBSENT:
- if (!capable(CAP_SYS_TTY_CONFIG))
- error = -EPERM;
+ error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
break;

/* default case assumes that the command will go

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Maciej W. Rozycki: "Re: Catching NForce2 lockup with NMI watchdog"
Previous message: Martin J. Bligh: "Re: [PATCH] improve rwsem scalability (was Re: [CFT][RFC] HT scheduler)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]